* Fri Aug 2 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.0.0-3

- Fix CVE-2019-14378, rhbz#1735654
This commit is contained in:
Marc-André Lureau 2019-08-02 14:29:43 +04:00
parent d39ab11662
commit d7af790873
2 changed files with 45 additions and 2 deletions

View File

@ -0,0 +1,38 @@
From 126c04acbabd7ad32c2b018fe10dfac2a3bc1210 Mon Sep 17 00:00:00 2001
From: Samuel Thibault <samuel.thibault@ens-lyon.org>
Date: Sun, 28 Jul 2019 19:11:24 +0200
Subject: [PATCH] Fix heap overflow in ip_reass on big packet input
When the first fragment does not fit in the preallocated buffer, q will
already be pointing to the ext buffer, so we mustn't try to update it.
Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
---
src/ip_input.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/ip_input.c b/src/ip_input.c
index 50c7657..8c75d91 100644
--- a/src/ip_input.c
+++ b/src/ip_input.c
@@ -326,6 +326,8 @@ insert:
q = fp->frag_link.next;
m = dtom(slirp, q);
+ int was_ext = m->m_flags & M_EXT;
+
q = (struct ipasfrag *)q->ipf_next;
while (q != (struct ipasfrag *)&fp->frag_link) {
struct mbuf *t = dtom(slirp, q);
@@ -348,7 +350,7 @@ insert:
* the old buffer (in the mbuf), so we must point ip
* into the new buffer.
*/
- if (m->m_flags & M_EXT) {
+ if (!was_ext && m->m_flags & M_EXT) {
int delta = (char *)q - m->m_dat;
q = (struct ipasfrag *)(m->m_ext + delta);
}
--
2.22.0.545.g9c9b961d7e

View File

@ -1,6 +1,6 @@
Name: libslirp Name: libslirp
Version: 4.0.0 Version: 4.0.0
Release: 2%{?dist} Release: 3%{?dist}
Summary: A general purpose TCP-IP emulator Summary: A general purpose TCP-IP emulator
# check the SPDX tags in source files for details # check the SPDX tags in source files for details
@ -8,6 +8,8 @@ License: BSD and MIT
URL: https://gitlab.freedesktop.org/slirp/%{name} URL: https://gitlab.freedesktop.org/slirp/%{name}
Source0: %{url}/-/archive/v%{version}/%{name}-v%{version}.tar.gz Source0: %{url}/-/archive/v%{version}/%{name}-v%{version}.tar.gz
Patch0001: 0001-Fix-heap-overflow-in-ip_reass-on-big-packet-input.patch
BuildRequires: git-core
BuildRequires: meson BuildRequires: meson
BuildRequires: gcc BuildRequires: gcc
BuildRequires: glib2-devel BuildRequires: glib2-devel
@ -27,7 +29,7 @@ developing applications that use %{name}.
%prep %prep
%autosetup -n %{name}-v%{version} %autosetup -S git_am -n %{name}-v%{version}
%build %build
%meson %meson
@ -51,6 +53,9 @@ developing applications that use %{name}.
%changelog %changelog
* Fri Aug 2 2019 Marc-André Lureau <marcandre.lureau@redhat.com> - 4.0.0-3
- Fix CVE-2019-14378, rhbz#1735654
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.0-2 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 4.0.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild